Westpoint Security Advisory
---------------------------

Title:        Phorum 5.2.10 Cross-Site Scripting Vulnerability in register.php
Risk Rating:  Med
Platforms:    PHP (Windows and UNIX)
Author:       Andrew Paterson <andrew@westpoint.ltd.uk>
Date:         06 Mar 2009
Advisory ID#: wp-09-0002
URL:          http://www.westpoint.ltd.uk/advisories/wp-09-0002.txt
CVE:          number requested from cve@mitre.org on 05 Mar 2009

Overview
--------

Phorum 5.2.10 contains a flaw in register.php which exposes users with login
credentials to cross-site scripting exploits.


Details
-------

http://{phorum_location}/register.php contains a form field, used for the
captcha, which is cross-site script-able via POST data. The field looks like
this in the source:

<input type="text" name="{random_name}" 
id="spamhurdles_captcha_answer_input" value="" size="6" maxlength="5" />

On submission, the page reflects back the user input without 
escaping special characters.

The issue can be demonstrated by entering, for example:

"><img src=x onerror="alert('Vulnerable');"/>

It is necessary to disable the maximum field length. 


Impact
------

This flaw allows a potential attacker to inject malicious JavaScript or HTML
code, which will run at the same trust level as the server. This may enable
them to steal session cookies, form details, or other information.

Exploitability of the flaw is limited against most users due to the
field-length restriction and the random generation of the field name on each
page reload.

Timeline
--------

06 Mar 2009    Phorum authors informed of the vulnerability
11 Mar 2009 (00:42)  Fix applied by Phorum developer mmakaay (see http://www.phorum.org/changelog-5.txt)
22 May 2009    Phorum 5.2.11 released, with fix applied: http://www.phorum.org/phorum5/read.php?64,138376,138376